Sec+ Objective 5 Test Questions

Question 1

A company is formalizing the design and deployment process used by their application programmers. Which of the following policies would apply?

❍ A. Business continuity
❍ B. Acceptable use policy
❍ C. Incident response
❍ D. Development lifecycle

Answer 1

D. Development lifecycle

A formal software development lifecycle defines the specific policies associated with the design, development, testing, deployment, and maintenance of the application development process. (5.1)

Question 2

A company hires a large number of seasonal employees, and their system access should normally be disabled when the employee leaves the company. The security administrator would like to verify that their systems cannot be accessed by any of the former employees. Which of the following would be the BEST way to provide this verification?

❍ A. Confirm that no unauthorized accounts have administrator access
❍ B. Validate the account lockout policy
❍ C. Validate the offboarding processes and procedures
❍ D. Create a report that shows all authentications for a 24-hour period

Answer 2

C. Validate the offboarding processes and procedures

The disabling of an employee account is commonly part of the offboarding process. One way to validate an offboarding policy is to perform an audit of all accounts and compare active accounts with active employees. (5.1)

Question 3

An organization maintains a large database of customer information for sales tracking and customer support. Which person in the organization would be responsible for managing the access rights to this data?

❍ A. Data processor
❍ B. Data owner
❍ C. Data subject
❍ D. Data custodian

Answer 3

D. Data custodian

The data custodian manages access rights and sets security controls to the data. (5.1)

Question 4

The Vice President of Sales has asked the IT team to create daily backups of the sales data. The Vice President is an example of a:

❍ A. Data owner
❍ B. Data controller
❍ C. Data steward
❍ D. Data processor

Answer 4

A. Data owner

The data owner is accountable for specific data, so this person is often a senior officer of the organization. (5.1)

Question 5

A company’s human resources team maintains a list of all employees participating in the corporate savings plan. A third-party financial company uses this information to manage stock investments for the employees. Which of the following would describe this financial company?

❍ A. Processor
❍ B. Owner
❍ C. Controller
❍ D. Custodian

Answer 5

A. Processor

A data processor performs some type of action to the data, and this is often a different group within the organization or a third-party company. In this example, the third-party financial organization is the data processor of the employee’s financial data. (5.1)

Question 6

The contract of a long-term temporary employee is ending. Which of these would be the MOST important part of the off-boarding process?

❍ A. Perform an on-demand audit of the user’s privileges
❍ B. Archive the decryption keys associated with the user account
❍ C. Document the user’s outstanding tasks
❍ D. Obtain a signed copy of the Acceptable Use Policies

Answer 6

B. Archive the decryption keys associated with the user account

Without the decryption keys, it will be impossible to access any of the user’s protected files once they leave the company. Given the other possible answers, this one is the only one that would result in unrecoverable data loss if not properly followed. (5.1)

Question 7

A company is implementing a series of steps to follow when responding to a security event. Which of the following would provide this set of processes and procedures?

❍ A. MDM
❍ B. DLP
❍ C. Playbook
❍ D. Zero trust

Answer 7

C. Playbook

A playbook provides a conditional set of steps to follow when addressing a specific event. An organization might have separate playbooks for investigating a data breach, responding to a virus infection, or recovering from a ransomware attack. (5.1)

Question 8

During the onboarding process, the IT department requires a list of software applications associated with the new employee’s job functions. Which of the following would describe the use of this information?

❍ A. Access control configuration
❍ B. Encryption settings
❍ C. Physical security requirements
❍ D. Change management

Answer 8

A. Access control configuration

The onboarding team needs to assign the proper access controls to new employees, and the list of applications provides additional details regarding application and data access. (5.1)

Question 9

A system administrator is working on a contract that will specify a minimum required uptime for a set of Internet-facing firewalls. The administrator needs to know how often the firewall hardware is expected to fail between repairs. Which of the following would BEST describe this information?

❍ A. MTBF
❍ B. RTO
❍ C. MTTR
❍ D. RPO

Answer 9

A. MTBF

The MTBF (Mean Time Between Failures) is a prediction of how often a repairable system will fail. (5.2)

Question 10

Which of the following is used to describe how cautious an organization might be to taking a specific risk?

❍ A. Risk appetite
❍ B. Risk register
❍ C. Risk transfer
❍ D. Risk reporting

Answer 10

A. Risk appetite

A risk appetite is a broad description of how much risk-taking is deemed acceptable. An organization’s risk appetite posture might be conservative, or they might be more expansionary and willing to take additional risks. (5.2)

Question 11

Which of the following describes a monetary loss if one event occurs?

❍ A. ALE
❍ B. SLE
❍ C. RTO
❍ D. ARO

Answer 11

B. SLE

SLE (Single Loss Expectancy) describes the financial impact of a single event. (5.2)

Question 12

What is SLE?

Answer 12

Single Loss Expectancy. The monetary loss received if one single event occurs. AV x EF = SLE

Question 13

A transportation company is installing new wireless access points in their corporate office. The manufacturer estimates the access points will operate an average of 100,000 hours before a hardware-related outage. Which of the following describes this estimate?

❍ A. MTTR
❍ B. RPO
❍ C. RTO
❍ D. MTBF

Answer 13

D. MTBF

The MTBF (Mean Time Between Failures) is the average time expected between outages. This is usually an estimation based on the internal device components and their expected operational lifetime. (5.2)

Question 14

An organization has previously purchased insurance to cover a ransomware attack, but the costs of maintaining the policy have increased above the acceptable budget. The company has now decided to cancel the insurance policies and address potential ransomware issues internally. Which of the following would best describe this action?

❍ A. Mitigation
❍ B. Acceptance
❍ C. Transference
❍ D. Risk-avoidance

Answer 14

B. Acceptance

Risk acceptance is a business decision that places the responsibility of the risky activity on the organization itself. (5.2)

Question 15

Which of the following would be the best way to describe the estimated number of laptops that might be stolen in a fiscal year?

❍ A. ALE
❍ B. SLE
❍ C. ARO
❍ D. MTTR

Answer 15

C. ARO

The ARO (Annualized Rate of Occurrence) describes the number of instances estimated to occur in a year. For example, if the organization expect to lose seven laptops to theft in a year, the ARO for laptop theft is seven. (5.2)

Question 16

What is ARO?

Answer 16

Annualized Rate of Occurrence. How often a risk will occur in a single year.

Question 17

The IT department of a transportation company maintains an on-site inventory of chassis-based network switch interface cards. If a failure occurs, the on-site technician can replace the interface card and have the system running again in sixty minutes. Which of the following BEST describes this recovery metric?

❍ A. MTBF
❍ B. MTTR
❍ C. RPO
❍ D. RTO

Answer 17

B. MTTR

MTTR (Mean Time To Restore) is the amount of time required to get back up and running. This is sometimes called Mean Time To Repair. (5.2)

Question 18

Each year, a certain number of laptops are lost or stolen and must be replaced by the company. Which of the following would describe the total cost the company spends each year on laptop replacements?

❍ A. SLE
❍ B. SLA
❍ C. ALE
❍ D. ARO

Answer 18

C. ALE

The ALE (Annual Loss Expectancy) is the total amount of the financial loss over an entire year. (5.2)

Question 19

What is ALE?

Answer 19

Annualized Loss Expectancy. The monetary loss received over the course of a year. ARO x SLE = ALE

Question 20

Two companies have been working together for a number of months, and they would now like to qualify their partnership with a broad formal agreement between both organizations. Which of the following would describe this agreement?

❍ A. SLA
❍ B. SOW
❍ C. MOA
❍ D. NDA

Answer 20

C. MOA

An MOA (Memorandum of Agreement) is a formal document where both sides agree to a broad set of goals and objectives associated with the partnership. (5.3)

Question 21

What is a MOA?

Answer 21

Memorandum of Agreement. The step above an MOU. Both sides conditionally agree to the objectives lined out and can be considered a legal document, but doesn’t have to contain all of the legal language.

Question 22

A company is accepting proposals for an upcoming project, and one of the responses is from a business owned by a board member. Which of the following would describe this situation?

❍ A. Due diligence
❍ B. Vendor monitoring
❍ C. Conflict of interest
❍ D. Right-to-audit

Answer 22

C. Conflict of interest

A conflict of interest occurs when a personal interest in a business transaction could compromise the judgment of the people involved. Personal and family relationships between organizations may potentially be a conflict of interest. (5.3)

Question 23

A company has signed an SLA with an Internet service provider. Which of the following would BEST describe the requirements of this SLA?

❍ A. The customer will connect to remote sites over an IPsec tunnel
❍ B. The service provider will provide 99.99% uptime
❍ C. The customer applications use HTTPS over tcp/443
❍ D. Customer application use will be busiest on the 15th
of each month

Answer 23

B. The service provider will provide 99.99% uptime

An SLA (Service Level Agreement) is a contract specifying the minimum terms for provided services. It’s common to include uptime, response times, and other service metrics in an SLA. (5.3)

Question 24

A medical imaging company would like to connect all remote locations together with high speed network links. The network connections must maintain high throughput rates and must always be available during working hours. In which of the following should these requirements be enforced with the network provider?

❍ A. Service level agreement
❍ B. Memorandum of understanding
❍ C. Non-disclosure agreement
❍ D. Acceptable use policy

Answer 24

A. Service level agreement

A service level agreement (SLA) is used to contractually define the minimum terms for services. In this example, the medical imaging company would require an SLA from the network provider for the necessary throughput and uptime metrics. (5.3)

Question 25

A company has created an itemized list of tasks to be completed by a third-party service provider. After the services are complete, this document will be used to validate the completion of the services. Which of the following would describe this agreement type?

❍ A. SLA
❍ B. SOW
❍ C. NDA
❍ D. BPA

Answer 25

B. SOW

A SOW (Statement of Work) is a detailed list of tasks, items, or processes to be completed by a third-party. The SOW lists the job scope, location, deliverables, and any other specifics associated with the agreement. The SOW is also used as a checklist to verify the job was completed properly by the service provider. (5.3)

Question 26

A system administrator receives a text alert when access rights are changed on a database containing private customer information. Which of the following would describe this alert?

❍ A. Maintenance window
❍ B. Attestation and acknowledgment
❍ C. Automation
❍ D. External audit

Answer 26

C. Automation

Automation ensures that compliance checks can be performed on a regular basis without the need for human intervention. This can be especially useful to provide alerts when a configuration change causes an organization to be out of compliance (5.4)

Question 27

A web-based manufacturing company processes monthly charges to credit card information saved in the customer’s profile. All of the customer information is encrypted and protected with additional authentication factors. Which of the following would be the justification for these security controls?

❍ A. Chain of custody
❍ B. Password vaulting
❍ C. Compliance reporting
❍ D. Sandboxing

Answer 27

C. Compliance reporting

The storage of sensitive information such as customer details and payment information may require additional reporting to ensure compliance with the proper security controls. (5.4)

Question 28

Before deploying a new application, a company is performing an internal audit to ensure all of their servers are configured with the appropriate security features. Which of the following would BEST describe this process?

❍ A. Due care
❍ B. Active reconnaissance
❍ C. Data retention
❍ D. Statement of work

Answer 28

A. Due care

Due care describes a duty to act honestly and in good faith. Due diligence is often associated with third-party activities, and due care tends to refer to internal activities. (5.4)

Question 29

An administrator is designing a network to be compliant with a security standard for storing credit card numbers. Which of the following would be the BEST choice to provide this compliance?

❍ A. Implement RAID for all storage systems
❍ B. Connect a UPS to all servers
❍ C. DNS should be available on redundant servers
❍ D. Perform regular audits and vulnerability scans

Answer 29

D. Perform regular audits and vulnerability scans

A focus of credit card storage compliance is to keep credit card information private. The only option matching this requirement is scheduled audits and ongoing vulnerability scans. (5.4)

Question 30

A security administrator has been tasked with storing and protecting customer payment and shipping information for a three-year period. Which of the following would describe the source of this data?

❍ A. Controller
❍ B. Owner
❍ C. Data subject
❍ D. Processor

Answer 30

C. Data subject

In data privacy, the data subject describes an individual with personal data. Payment details and shipping addresses describe personal information from a data subject. (5.4)

Question 31

What is the data subject?

Answer 31

Any information relating to an identified or identifiable natural person with personal data. BarrYou.

Question 32

A security administrator has compiled a list of all information stored and managed by an organization. Which of the following would best describe this list?

❍ A. Sanitization
❍ B. Metadata
❍ C. Known environment
❍ D. Data inventory

Answer 32

D. Data inventory

A data inventory describes a list of all data managed by an organization. This inventory includes the owner, update frequency, and format of the data. (5.4)

Question 33

A company has hired a third-party to gather information about the company’s servers and data. This third-party will not have direct access to the company’s internal network, but they can gather information from any other source. Which of the following would BEST describe this approach?

❍ A. Vulnerability scanning
❍ B. Passive reconnaissance
❍ C. Supply chain analysis
❍ D. Regulatory audit

Answer 33

B. Passive reconnaissance

Passive reconnaissance focuses on gathering as much information from open sources such as social media, corporate websites, and business organizations. (5.5)

Question 34

An online retailer is planning a penetration test as part of their PCI DSS validation. A third-party organization will be performing the test, and the online retailer has provided the Internet-facing IP addresses for their public web servers. No other details were provided. What penetration testing methodology is the online retailer using?

❍ A. Known environment
❍ B. Passive reconnaissance
❍ C. Partially known environment
❍ D. Benchmarks

Answer 34

C. Partially known environment

A partially known environment test is performed when the attacker knows some information about the victim, but not all information is available. (5.5)

Question 35

As part of an internal audit, each department of a company has been asked to compile a list of all devices, operating systems, and applications in use. Which of the following would BEST describe this audit?

❍ A. Attestation
❍ B. Self-assessment
❍ C. Regulatory compliance
❍ D. Vendor monitoring

Answer 35

B. Self-assessment

A self-assessment describes an organization performing their own security checks. (5.5)

Question 36

A third-party has been contracted to perform a penetration test on a company’s public web servers. The testing company has been provided with the external IP addresses of the servers. Which of the following would describe this scenario?

❍ A. Defensive
❍ B. Active reconnaissance
❍ C. Partially known environment
❍ D. Regulatory

Answer 36

C. Partially known environment

A partially known environment provides limited information about the testing systems and networks during a penetration test. (5.5)

Question 37

A company has contracted with a third-party to provide penetration testing services. The service includes a port scan of each externally-facing device. This is an example of:

❍ A. Initial exploitation
❍ B. Privilege escalation
❍ C. Known environment
❍ D. Active reconnaissance

Answer 37

D. Active reconnaissance

Active reconnaissance sends traffic across the network, and this traffic can be viewed and logged. Performing a port scan will send network traffic to a server, and most port scan attempts can be identified and logged by an IPS (Intrusion Prevention System). (5.5)

Question 38

What is active reconnaissance?

Answer 38

Information needed before an attack that is gathered by going into the devices and systems themselves. Ping scans, port scans, DNS queries, etc. for example.

Question 39

A company has recently moved from one accounting system to another, and the new system includes integration with many other divisions of the organization. Which of the following would ensure that the correct access has been provided to the proper employees in each division?

❍ A. Geolocation
❍ B. Onboarding process
❍ C. Account de-provisioning
❍ D. Internal self-assessment

Answer 39

D. Internal self-assessment

An internal self-assessment with audit can verify users have the correct permissions and all users meet the practice of least privilege. (5.5)

Question 40

Employees of an organization have received an email with a link offering a cash bonus for completing an internal training course. Which of the following would BEST describe this email?

❍ A. Watering hole attack
❍ B. Cross-site scripting
❍ C. Zero-day
❍ D. Phishing campaign

Answer 40

D. Phishing campaign

A phishing campaign is an internal process used to test the security habits of the user community. An email with a link from a server not under the control of the company could be an email sent by the IT department as part of a phishing campaign. (5.6)

Question 41

A company is implementing a quarterly security awareness campaign. Which of the following would MOST likely be part of this campaign?

❍ A. Suspicious message reports from users
❍ B. An itemized statement of work
❍ C. An IaC configuration file
❍ D. An acceptable use policy document

Answer 41

A. Suspicious message reports from users

A security awareness campaign often involves automated phishing attempts, and most campaigns will include a process for users to report a suspected phishing attempt to the IT security team. (5.6)

Question 42

A company has noticed an increase in support calls from attackers. These attackers are using social engineering to gain unauthorized access to customer data. Which of the following would be the BEST way to prevent these attacks?

❍ A. User training
❍ B. Next-generation firewall
❍ C. Internal audit
❍ D. Penetration testing

Answer 42

A. User training

Many social engineering attacks do not involve technology, so the best way to prevent the attack is to properly train users to watch for these techniques. (5.6)

Question 43

A company is implementing a security awareness program for their user community. Which of the following should be included for additional user guidance and training?

❍ A. Daily firewall exception reporting
❍ B. Information on proper password management
❍ C. Periodic vulnerability scanning of external services
❍ D. Adjustments to annualized loss expectancy

Answer 43

B. Information on proper password management

User awareness programs focus on security fundamentals that everyone in the organization can use during their normal work day. Protecting and managing passwords is an important security consideration for all users in the company. (5.6)

Question 44

A security administrator is preparing a phishing email as part of a periodic employee security awareness campaign. The email is spoofed to appear as an unknown third-party and asks employees to immediately click a link or their state licensing will be revoked. Which of the following should be the expected response from the users?

❍ A. Delete the message
❍ B. Click the link and make a note of the URL
❍ C. Forward the message to others in the department
❍ D. Report the suspicious link to the help desk

Answer 44

D. Report the suspicious link to the help desk

The users should be trained to report anything suspicious, and unusual links in an email message would certainly be an important security concern. (5.6)

Question 45

A security administrator has created a policy to alert if a user modifies the hosts file on their system. Which of the following behaviors does this policy address?

❍ A. Unexpected
❍ B. Self-assessment
❍ C. Unintentional
❍ D. Risky

Answer 45

D. Risky

Making a change to the hosts file can be a security concern, and many systems will prevent this change without elevated permissions. Modifying the hosts file would be categorized as risky behavior. (5.6)

Question 46

A receptionist at a manufacturing company recently received an email from the CEO asking for a copy of the internal corporate employee directory. It was later determined that the email address was not sent from the CEO and the domain associated with the email address was not a corporate domain name. What type of training could help identify this type of attack in the future?

❍ A. Recognizing social engineering
❍ B. Proper password management
❍ C. Securing remote work environments
❍ D. Understanding insider threats

Answer 46

A. Recognizing social engineering

Impersonating the CEO is a common social engineering technique. There are many ways to recognize a social engineering attack, and it’s important to train everyone to spot these situations when they are occurring. (5.6)